Hash-based signatures & Hash-and-sign without collision-resistance Andreas Hülsing 21.12.2017

Basic Construction 12-11-2018

Lamport-Diffie OTS [Lam79] Message M = b1,…,bm, OWF H = n bit SK PK Sig * sk1,0 sk1,1 skm,0 skm,1 Mux b1 Mux b2 Mux bm H H H H H H pk1,0 pk1,1 pkm,0 pkm,1 sk1,b1 skm,bm 12-11-2018

Merkle’s Hash-based Signatures PK SIG = (i=2, , , , , ) H OTS H H H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK 12-11-2018

Security Theorem: MSS is eu-cma-secure if OTS is a one-time eu-cma secure signature scheme and H is a random element from a family of collision resistant hash functions.

Reduction Input: 𝑘, 𝑝𝑘 𝑂𝑇𝑆 Choose random 0≤𝑖< 2 ℎ Generate key pair using 𝑝𝑘 𝑂𝑇𝑆 as 𝑖th OTS public key and 𝐻← ℎ 𝑘 Answer all signature queries using sk or sign oracle (for index 𝑖) Extract OTS-forgery or collision from forgery

Reduction (Step 4, Extraction) Forgery: ( 𝑖 ∗ ,𝜎 𝑂𝑇𝑆 ∗ , 𝑝𝑘 𝑂𝑇𝑆 ∗ , AUTH) If 𝑝𝑘 𝑂𝑇𝑆 ∗ equals OTS pk we used for 𝑖 ∗ OTS, we got an OTS forgery. Can only be used if 𝑖 ∗ =𝑖. Else adversary used different OTS pk. Hence, different leaves. Still same root! Pigeon-hole principle: Collision on path to root.

Winternitz-OTS

Recap LD-OTS [Lam79] Message M = b1,…,bm, OWF H = n bit SK PK Sig H H * sk1,0 sk1,1 skm,0 skm,1 Mux b1 Mux b2 Mux bn H H H H H H pk1,0 pk1,1 pkm,0 pkm,1 sk1,b1 skm,bm

LD-OTS in MSS Verification: 1. Verify 2. Verify authenticity of SIG = (i=2, , , , , ) Verification: 1. Verify 2. Verify authenticity of We can do better!

Trivial Optimization Message M = b1,…,bm, OWF H = n bit SK H H H H H H * SK sk1,0 sk1,1 skm,0 skm,1 Mux b1 Mux ¬b1 Mux bm Mux ¬bm H H H H H H PK pk1,0 pk1,1 pkm,0 pkm,1 Sig sig1,0 sig1,1 sigm,0 sigm,1

Optimized LD-OTS in MSS X SIG = (i=2, , , , , ) Verification: 1. Compute from 2. Verify authenticity of Steps 1 + 2 together verify

Germans love their „Ordnung“! Message M = b1,…,bm, OWF H SK: sk1,…,skm,skm+1,…,sk2m PK: H(sk1),…,H(skm),H(skm+1),…,H(sk2m) Encode M: M‘ = M||¬M = b1,…,bm,¬b1,…,¬bm (instead of b1, ¬b1,…,bm, ¬bm ) ski , if bi = 1 Sig: sigi = H(ski) , otherwise Checksum with bad performance!

Optimized LD-OTS Message M = b1,…,bm, OWF H SK: sk1,…,skm,skm+1,…,skm+log m PK: H(sk1),…,H(skm),H(skm+1),…,H(skm+log m) Encode M: M‘ = b1,…,bm,¬ 1 𝑚 𝑏 𝑖 ski , if bi = 1 Sig: sigi = H(ski) , otherwise IF one bi is flipped from 1 to 0, another bj will flip from 0 to 1

12. November 2018 Function chains Function family: 𝐻 𝑛 ≔ ℎ 𝑘 : {0,1} 𝑛 → {0,1} 𝑛 ℎ 𝑘 $ 𝐻 𝑛 Parameter 𝑤 Chain: c0(x) = x 𝒄 𝒘−𝟏 (𝑥) 𝑐1(𝑥) = ℎ 𝑘 (𝑥) |

12. November 2018 WOTS Winternitz parameter w, security parameter n, message length m, function family 𝐻 𝑛 Key Generation: Compute 𝑙, sample ℎ 𝑘 c0(sk1) = sk1 pk1 = cw-1(sk1) c1(sk1) One promissing group of candidates are hash-based signature schemes They start from an OTS – a signature scheme where a key pair can only be used for one signature. The central idea – proposed by Merkle - is to authenticate many OTS keypairs using a binary hash tree These schemes have many advantages over the beforementioned Quantum computers do not harm their security – the best known quantum attack is Grovers algorithm – allowing exhaustiv search in a set with n elements in time squareroot of n using log n space. They are provably secure in the standard model And they can be instantiated using any secure hash function. On the downside, they produce long signatures. c1(skl ) pkl = cw-1(skl ) c0(skl ) = skl |

WOTS Signature generation 12. November 2018 WOTS Signature generation M b1 b2 b3 b4 … … … … … … … bm‘ bm‘+1 bm‘+2 … … bl c0(sk1) = sk1 pk1 = cw-1(sk1) C σ1=cb1(sk1) Signature: σ = (σ1, …, σl ) Well, this work is concerned with the OTS. There are several OTS schemes. LD, Merkle-OTS which is a specific instance of the W-OTS, the BM-OTS and Biba and HORS. The most interesting one is the Winternitz OTS as it allows for a time-memory trade-off and even more important - It is possible to compute the public verification key given a signature. This reduces the signature size of a hash based signature scheme as normaly the public key of the OTS has to be included in a signature of the scheme. Now for WOTS this isn‘t necessary anymore. pkl = cw-1(skl ) c0(skl ) = skl σl =cbl (skl ) |

WOTS Signature Verification 12. November 2018 WOTS Signature Verification Verifier knows: M, w b1 b2 b3 b4 … … … … … … … bm‘ bm‘+1 bl 1+2 … … bl 𝒄 𝟏 (σ1) 𝒄 𝟑 (σ1) pk1 =? σ1 𝒄 𝟐 (σ1) 𝒄 𝒘−𝟏− 𝒃 𝟏 (σ1) Signature: σ = (σ1, …, σl ) Well, this work is concerned with the OTS. There are several OTS schemes. LD, Merkle-OTS which is a specific instance of the W-OTS, the BM-OTS and Biba and HORS. The most interesting one is the Winternitz OTS as it allows for a time-memory trade-off and even more important - It is possible to compute the public verification key given a signature. This reduces the signature size of a hash based signature scheme as normaly the public key of the OTS has to be included in a signature of the scheme. Now for WOTS this isn‘t necessary anymore. pkl =? σl 𝒄 𝒘−𝟏− 𝒃 𝒍 (σl ) |

WOTS Function Chains For 𝑥∈ 0,1 𝑛 define 𝑐 0 𝑥 =𝑥 and

WOTS Security Theorem (informally): 12. November 2018 WOTS Security Theorem (informally): W-OTS is strongly unforgeable under chosen message attacks if 𝐻 𝑛 is a collision resistant family of undetectable one-way functions. W-OTS$ is existentially unforgeable under chosen message attacks if 𝐻 𝑛 is a pseudorandom function family. W-OTS+ is strongly unforgeable under chosen message attacks if 𝐻 𝑛 is a 2nd-preimage resistant family of undetectable one-way functions. In our work we showed that we can slightly change the original WOTS construction, such that it uses a function family instead of the hash function family. The resulting scheme is existentially unforgeable under chosen message attacks, if the function family is pseudorandom. This result has two implications: |

XMSS

XMSS Tree: Uses bitmasks Leafs: Use binary tree with bitmasks OTS: WOTS+ Mesage digest: Randomized hashing Collision-resilient -> signature size halved bi

Multi-Tree XMSS Uses multiple layers of trees -> Key generation (= Building first tree on each layer) Θ(2h) → Θ(d2h/d) -> Allows to reduce worst-case signing times Θ(h/2) → Θ(h/2d)

How to Eliminate the State

Protest? 12-11-2018

Few-Time Signature Schemes 12-11-2018

Recap LD-OTS Message M = b1,…,bn, OWF H = n bit SK PK Sig H H H H H H * sk1,0 sk1,1 skn,0 skn,1 Mux b1 Mux b2 Mux bn H H H H H H pk1,0 pk1,1 pkn,0 pkn,1 sk1,b1 skn,bn 12-11-2018

HORS [RR02] Message M, OWF H, CRHF H’ = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) SK PK * sk1 sk2 skt-1 skt H H H H H H pk1 pk1 pkt-1 pkt 12-11-2018

HORS mapping function Message M, OWF H, CRHF H’ = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * M H’ b1 b2 ba bar i1 ik 12-11-2018

HORS Message M, OWF H, CRHF H’ = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * SK sk1 sk2 skt-1 skt H H H H H H PK pk1 pk1 pkt-1 pkt H’(M) b1 b2 ba ba+1 bka-2 bka-1 bka Mux Mux i1 ik ski1 skik 12-11-2018

HORS Security 𝑀 mapped to 𝑘 element index set 𝑀 𝑖 ∈ {1,…,𝑡} 𝑘 Each signature publishes 𝑘 out of 𝑡 secrets Either break one-wayness or… r-Subset-Resilience: After seeing index sets 𝑀 𝑗 𝑖 for 𝑟 messages 𝑚𝑠𝑔 𝑗 , 1 ≤𝑗≤𝑟, hard to find 𝑚𝑠𝑔 𝑟+1 ≠ 𝑚𝑠𝑔 𝑗 such that 𝑀 𝑟+1 𝑖 ∈ ⋃ 1 ≤𝑗≤𝑟 𝑀 𝑗 𝑖 . Best generic attack: Succr-SSR(𝐴,𝑞) = 𝑞 𝑟𝑘 𝑡 𝑘 → Security shrinks with each signature! 12-11-2018

HORST Using HORS with MSS requires adding PK (tn) to MSS signature. HORST: Merkle Tree on top of HORS-PK New PK = Root Publish Authentication Paths for HORS signature values PK can be computed from Sig With optimizations: tn → (k(log t − x + 1) + 2x)n E.g. SPHINCS-256: 2 MB → 16 KB Use randomized message hash 12-11-2018

SPHINCS Stateless Scheme XMSSMT + HORST + (pseudo-)random index Collision-resilient Deterministic signing SPHINCS-256: 128-bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys

Hash & sign without collision resistance

PKC with variable-length inputs Hard to build variable input length constructions (Schoolbook RSA) Direct constructions are inefficient (See the hash-based constructions for long messages) Full adversarial control over input can harm security (Schoolbook RSA) For encryption: Use hybrid encryption -> PKE only encrypts “short” symmetric key. For signatures: Hash-and-sign -> SIG only signs “short” message digest

Security of Hash & Sign Theorem. Given an EU-CMA-secure Signature scheme for fixed-length inputs and a collision-resistant family of hash functions. The hash & sign signature scheme for varibable-length inputs, obtained by first applying a hash function from the family and then signing the resulting digest, is EU-CMA-secure.

Reminder EU-CMA PK, 1n SK q Mi SIGN (σi, Mi) (σ*, M*) Success if M* ≠ Mi , Ɐ i ∈ [0,q] and Verify(pk,σ*,M*) = Accept

Security of Hash & Sign Reduction Input: pk & access to SIGN, hash function key k. Output: Forgery or collision. Give (pk, k) as public key to A. Answer signing queries 𝑀 𝑖 computing 𝑚𝑑 𝑖 = ℎ 𝑘 ( 𝑀 𝑖 ) and sending 𝑚 𝑑 𝑖 to SIGN. Given forgery ( 𝑀 ∗ , 𝜎 ∗ ) compute 𝑚 𝑑 ∗ = ℎ 𝑘 ( 𝑀 ∗ ) If ∃𝑖≤𝑞:𝑚 𝑑 ∗ ==𝑚 𝑑 𝑖 , return collision ( 𝑀 ∗ , 𝑀 𝑖 ) Else, return forgery (𝑚 𝑑 ∗ , 𝜎 ∗ )

Recall: Attacks on Hash Functions MD5 Collisions (theo.) MD5 Collisions (practical!) MD5 & SHA-1 No (Second-) Preimage Attacks! SHA-1 Collisions (theo.) 2004 2005 2008 2015 12-11-2018

Target-collision resistance (TCR) 𝐻 𝑛 ≔ ℎ 𝑘 : {0,1} 𝑚 𝑛 → {0,1} 𝑛 ℎ 𝑘 $ 𝐻 𝑛 Success if ℎ 𝑘 𝑥 𝑐 = ℎ 𝑘 𝑥 ∗ Run 1 Run 2 𝑥 𝑐 ,𝑘, 𝑆 𝐻 𝑛 𝑥 𝑐 , 𝑆 𝑥 ∗

Target-collision resistance stronger / easier to break Collision-Resistance Assumption / Attacks 2nd-Preimage-Resistance TCR One-way Pseudorandom weaker / harder to break

TCR vs. SPR TCR -> SPR: Note that A in „Run 2“ is just an SPR adversary! Every TCR function family must be SPR! SPR -> TCR: Per construction Given a SPR function, use key of length 𝑚 Key the function by XORing key to message: ℎ 𝑘 ′ 𝑥 =ℎ(𝑥⊕k)

TCR of „XOR construction“ Reduction Input: SPR function ℎ, target 𝑥 𝑐 Output: Second-preimage 𝑥 ∗ for 𝑥 𝑐 Run TCR adversary A to obtain 𝑥 𝑐 ′ Compute 𝑘= 𝑥 𝑐 ′ ⊕ 𝑥 𝑐 Run A on 𝑘 to obtain 𝑥 ∗ ′ Output 𝑥 ∗ = 𝑥 ∗ ′ ⊕𝑘 Note: ℎ 𝑘 ′ 𝑥 𝑐 ′ =ℎ 𝑥 𝑐 ′ ⊕k = ℎ 𝑥 𝑐 ′ ⊕ 𝑥 𝑐 ′ ⊕ 𝑥 𝑐 =ℎ 𝑥 𝑐 = ℎ 𝑘 ′ 𝑥 ∗ ′ =ℎ 𝑥 ∗ ′⊕k = ℎ( 𝑥 ∗ )

TCR Hash & Sign Input: Fixed input-length signature scheme SIG=(KeyGen,Sign, Verify), TCR function family Output: Variable input length signature scheme SIG‘ KeyGen‘ = KeyGen Sign‘: Given 𝑀,𝑠𝑘 sample random function key 𝑘, compute 𝑚𝑑= ℎ 𝑘 (𝑀), compute 𝜎= 𝑆𝑖𝑔𝑛((𝑘||𝑚𝑑),𝑠𝑘), return 𝜎′=(𝑘,𝜎) Verify‘: Compute 𝑚𝑑= ℎ 𝑘 (𝑀), output 𝑉𝑒𝑟𝑖𝑓𝑦((𝑘||𝑚𝑑),𝜎,𝑝𝑘)

Security of TCR Hash & Sign Reduction Input: pk & access to SIGN, hash function key k „oracle“. Output: Forgery or target-collision. Give pk as public key to A. Answer signing queries 𝑀 𝑖 sending 𝑀 𝑖 to oracle to get 𝑘 𝑖 , computing 𝑚𝑑 𝑖 = ℎ 𝑘 𝑖 ( 𝑀 𝑖 ) and sending ( k i ,𝑚 𝑑 𝑖 ) to SIGN. Given forgery ( 𝑀 ∗ , 𝜎 ∗ )=( 𝑀 ∗ ,( 𝑘 ∗ , 𝜎 ∗ ′)) compute 𝑚 𝑑 ∗ = ℎ 𝑘 ∗ ( 𝑀 ∗ ) If ∃𝑖≤𝑞:𝑚 𝑑 ∗ ==𝑚 𝑑 𝑖 & 𝑘 𝑖 == 𝑘 ∗ , return collision ( 𝑘 𝑖 , 𝑀 ∗ , 𝑀 𝑖 ) Else, return forgery (( 𝑘 ∗ ||𝑚 𝑑 ∗ ), 𝜎 ∗ )

Note: If the 𝑘 𝑖 weren’t signed, the second-to-last step wouldn’t work! An adversary could output a forgery ( 𝑀 ∗ , 𝜎 ∗ )= ( 𝑀 ∗ ,( 𝑘 ∗ , 𝜎 ∗ ′)) such that ℎ 𝑘 ∗ 𝑀 ∗ =𝑚 𝑑 ∗ =𝑚 𝑑 𝑖 = ℎ 𝑘 𝑖 𝑀 𝑖 , for some 𝑖≤𝑞, but 𝑘 ∗ ≠ 𝑘 𝑖 . Hence, ( 𝑘 𝑖 , 𝑀 ∗ , 𝑀 𝑖 ) is no target-collision! However, 𝜎 𝑖 still works as signature for 𝑚 𝑑 ∗ . ⇒ EU-CMA of fixed-length input SIG not violated! Really need to sign keys!

Problem using XOR-construction: Key-length == Message-length 𝑆𝑖𝑔𝑛((𝑘||𝑚𝑑),𝑠𝑘) We have to sign messages of length hash function key-length + digest length Even decreased possible message length!

Bellare & Rogway: XOR-tree Reduce key-length to 2𝑛 log 2 𝑚 𝑛 . (m-bit message, n-bit digest) Given SPR hash ℎ: 0,1 2𝑛 → 0,1 𝑛 split message into 𝑚 𝑛 , 𝑛-bit blocks Build binary hash tree of height t= log 2 𝑚 𝑛 using message blocks as leaves. (Assume t is integer) Keying: Split key into t 2n-bit blocks 𝑏 𝑗 called bitmasks. XOR values on level j with j-th bitmask before applying ℎ 𝑚𝑑 is root of tree

XOR-tree Reduction Input: SPR function ℎ, target 𝑥 𝑐 Output: Second-preimage 𝑥 ∗ for 𝑥 𝑐 Select random node 𝑁 𝑖 ′ , 𝑗 ′ in tree Given message 𝑀, compute tree up to children 𝑁 2𝑖 ′ , 𝑗 ′ −1 , 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 of 𝑁 𝑖 ′ , 𝑗 ′ , sampling the required 𝑏 𝑗 at random. Select 𝑏 𝑗 ′ =( 𝑁 2𝑖 ′ , 𝑗 ′ −1 ∥ 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 )⊕ 𝑥 𝑐

XOR-tree Reduction, cont‘d Input: SPR function ℎ, target 𝑥 𝑐 Output: Second-preimage 𝑥 ∗ for 𝑥 𝑐 Select 𝑏 𝑗 ′ =( 𝑁 2𝑖 ′ , 𝑗 ′ −1 ∥ 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 )⊕ 𝑥 𝑐 ⇒ 𝑁 𝑖 ′ , 𝑗 ′ =h 𝑁 2𝑖 ′ , 𝑗 ′ −1 ∥ 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 ⊕ 𝑏 𝑗 ′ =h 𝑁 2𝑖 ′ , 𝑗 ′ −1 ∥ 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 ⊕( 𝑁 2𝑖 ′ , 𝑗 ′ −1 ∥ 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 )⊕ 𝑥 𝑐 =ℎ( 𝑥 𝑐 )

XOR-tree Reduction, cont‘d Select remaining 𝑏 𝑗 at random Run 𝑀 ∗ =𝐴(𝑀,𝑘,𝑆) with 𝑘= (𝑏 1 ,…, 𝑏 𝑡 ) Compute 𝑥 ∗ = 𝑁 2𝑖 ′ , 𝑗 ′ −1 ∥ 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 ⊕ 𝑏 𝑗 ′ from 𝑀 ∗ and output it. Remember MSS reduction? As 𝑀 ∗ ≠𝑀 but ℎ 𝑘 𝑀 ∗ = ℎ 𝑘 𝑀 there must exist at least one node which is equal in both trees but has different children in the trees obtained from 𝑀 ∗ and 𝑀. We selected a random node, so hit it with probability (#𝑛𝑜𝑑𝑒 𝑠) −1 = 2𝑚 𝑛 −1 −1

XOR-tree 2𝑛 log 2 𝑚 𝑛 still pretty large! Can be improved, but not asymptotically. For a large group of constructions, key length 𝒪 log 2 𝑚 is optimal!

Approach 1: ROM An RO, keyed by prefixing with key, is a TCR hash function. No way to get TCR from Merkle-Damgard construction without (implicitly) assuming collision resistance.

Approach 2: eTCR 𝐻 𝑛 ≔ ℎ 𝑘 : {0,1} 𝑚 𝑛 → {0,1} 𝑛 ℎ 𝑘 $ 𝐻 𝑛 Success if 𝐻 𝑛 ≔ ℎ 𝑘 : {0,1} 𝑚 𝑛 → {0,1} 𝑛 ℎ 𝑘 $ 𝐻 𝑛 Success if ℎ 𝑘 𝑥 𝑐 = ℎ 𝑘 ∗ 𝑥 ∗ Run 1 Run 2 𝑥 𝑐 ,𝑘, 𝑆 𝐻 𝑛 𝑥 𝑐 , 𝑆 𝑘 ∗ , 𝑥 ∗

Still need to send key along with signature! Note: If the 𝑘 𝑖 weren’t signed, the second-to-last step wouldn’t work! An adversary could output a forgery ( 𝑀 ∗ , 𝜎 ∗ )= ( 𝑀 ∗ ,( 𝑘 ∗ , 𝜎 ∗ ′)) such that ℎ 𝑘 ∗ 𝑀 ∗ =𝑚 𝑑 ∗ =𝑚 𝑑 𝑖 = ℎ 𝑘 𝑖 𝑀 𝑖 , for some 𝑖≤𝑞, but 𝑘 ∗ ≠ 𝑘 𝑖 . Hence, ( 𝑘 𝑖 , 𝑀 ∗ , 𝑀 𝑖 ) is no target-collision! However, 𝜎 𝑖 still works as signature for 𝑚 𝑑 ∗ . ⇒ EU-CMA of fixed-length input SIG not violated! Really need to sign keys! Now ok! Don‘t need to sign keys! Still need to send key along with signature!

Approach 2: eTCR Can get short-key-constructions in standard model (from pretty strong, non-common assumptions) RO with prefixed key has this property Just require it as property from new hash functions (SHA-3 competition).

Real life version: Randomized Hashing eTCR-hash & sign: 𝑆𝐼𝐺𝑁′ 𝑀,𝑠𝑘 = 𝑅, 𝑆𝐼𝐺𝑁 𝐻 𝑅∥𝑀 ,𝑠 𝑘 𝑎 where 𝑅=𝑃𝑅𝐹(𝑠 𝑘 𝑏 ,𝑀) Not “provably weaker assumption than collision resistance”. In practice: Known collision does not help as R is unpredictable.

The multi-target issue What‘s the attack target? A special single Person? Wouldn‘t anyone in the company work? Wouldn‘t the ability to forge for any of Google‘s servers be sufficient? ...

The multi-target issue Neglected in EU-CMA model Relevant in practice! Can significantly harm security! Assume security of signature relies on hardness of finding preimage... ... Finding single preimage takes 𝒪( 2 𝑛 ) time ... Finding one out of p preimages takes 𝒪 2 𝑛 𝑝 time

Multi-target eTCR attack Collect as many signatures of as many possible vicitims as possible. Store the message digests used in the sigs in sorted DB Start search for 𝑘, 𝑥 such that h 𝑘 𝑥 matches entry in DB Complexity goes down from 𝒪( 2 𝑛 ) to 𝒪 2 𝑛 𝑝

Preventing multi-target attacks, state of the art Not known how to prevent this for single user (without state / signing k) Can reduce #targets p: 𝑆𝐼𝐺𝑁′ 𝑀,𝑠𝑘 = 𝑅, 𝑆𝐼𝐺𝑁 𝐻 𝑅∥𝑝𝑘∥𝑀 ,𝑠 𝑘 𝑎 where 𝑅=𝑃𝑅𝐹(𝑠 𝑘 𝑏 ,𝑀) Makes hash depending on pk For „good“ hash function H, attacker has to decide on target for each evaluation of H. For stateful schemes: Also add signature index.

Multi-target attack prevention Used in recent Internet Drafts (e.g. draft-irtf-cfrg- eddsa-08, draft-irtf-cfrg-xmss-hash-based- signatures-07) If scheme already uses randomness (EC-DSA: 𝑅= 𝑟 𝐵) might reuse that -> authenticates R! Price for avoiding collision resistance...

Thank you! Questions? For references & further literature see https://huelsing.wordpress.com/hash-based-signature-schemes/literature/ 12-11-2018